实战部署openldap主从架构

一、openldap介绍

二、openldap特点

三、openldap相关缩写

四、openldap组件

五、openldap环境规划

六、openldap部署---Master端

七、openldap部署---Slave端

八、openldap使用LAM工具管理

九、Master-Slave测试是否同步



一、openldap介绍:

LDAP是轻量目录访问协议(Lightweight Directory Access Protocol)的缩写。

LDAP标准实际上是在X.500标准基础上产生的一个简化版本。



二、openldap特点:

LDAP的结构用树来表示,而不是用表格。正因为这样,就不能用SQL语句了。

LDAP可以很快地得到查询结果,不过在写方面,就慢得多。

LDAP提供了静态数据的快速查询方式。


Client/server模型:Server 用于存储数据;Client提供操作目录信息树的工具

 这些工具可以将数据库的内容以文本格式(LDAP 数据交换格式,LDIF)呈现在您的面前:

LDAP是一种开放Internet标准,LDAP协议是跨平台的 的Interent协议

 它是基于X.500标准的, 与X.500不同,LDAP支持TCP/IP(即可以分布式部署)


三、openldap相关缩写:

LDAP相关的缩写如下:

dn - distinguished name(区别名,主键)

o - organization(组织-公司)

ou - organization unit(组织单元-部门)

c - countryName(国家)

dc - domainComponent(域名)

sn - sure name(真实名称)

cn - common name(常用名称)



四、openldap组件:

OpenLDAP各组件的功能简介:

slapd:主LDAP服务器

slurpd:负责与复制LDAP服务器保持同步的服务器

对网络上的目录进行操作的客户机程序。下面这两个程序是一对儿:

ldapadd:打开一个到LDAP服务器的连接,绑定、修改或增加条目

ldapsearch:打开一个到LDAP服务器的连接,绑定并使用指定的参数进行搜索

对本地系统上的数据库进行操作的几个程序:

slapadd:将以LDAP目录交换格式(LDIF)指定的条目添加到LDAP数据库中

slapcat:打开LDAP数据库,并将对应的条目输出为LDIF格式.


五、openldap环境规划:

192.168.99.23               #openldap主服务器

192.168.99.22               #openldap从服务器




六、openldap部署---Master端:

[root@23 ~]# ifconfig eth0

eth0      Link encap:Ethernet  HWaddr D6:96:70:0F:5B:68  

          inet addr:192.168.99.23  Bcast:192.168.99.255  Mask:255.255.255.0

          inet6 addr: fe80::d496:70ff:fe0f:5b68/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:64663349 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2718145 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:4461473725 (4.1 GiB)  TX bytes:154460825 (147.3 MiB)

          Interrupt:23


[root@23 ~]# yum -y install slapd openldap openldap-* httpd php php-ldap php-gd nscd  nss-pam-ldapd lrzsz pcre pcre-* openldap-devel compat-openldap mysql php-mysql mysql-server php-mbstring php-xml php-bcmath db4 db4-utils

[root@23 openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@23 openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

[root@23 openldap]# slappasswd         #生成openldap cn的md5加密的密码

New password: 

Re-enter new password: 

{SSHA}PKQau21DcwYc1kAYtXHHkmglDWWJTByB


[root@23 openldap]# cat /etc/openldap/slapd.conf    #配置文件更改

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#


include         /etc/openldap/schema/corba.schema

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/duaconf.schema

include         /etc/openldap/schema/dyngroup.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/java.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/openldap.schema

include         /etc/openldap/schema/ppolicy.schema

include         /etc/openldap/schema/collective.schema


# Allow LDAPv2 client connections.  This is NOT the default.

allow bind_v2


# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org


pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args


# Load dynamic backend modules

# - modulepath is architecture dependent value (32/64-bit system)

# - back_sql.la overlay requires openldap-server-sql package

# - dyngroup.la and dynlist.la cannot be used at the same time


# modulepath /usr/lib/openldap

# modulepath /usr/lib64/openldap


# moduleload accesslog.la

# moduleload auditlog.la

# moduleload back_sql.la

# moduleload chain.la

# moduleload collect.la

# moduleload constraint.la

# moduleload dds.la

# moduleload deref.la

# moduleload dyngroup.la

# moduleload dynlist.la

# moduleload memberof.la

# moduleload pbind.la

# moduleload pcache.la

# moduleload ppolicy.la

# moduleload refint.la

# moduleload retcode.la

# moduleload rwm.la

# moduleload seqmod.la

# moduleload smbk5pwd.la

# moduleload sssvlv.la

# moduleload syncprov.la

# moduleload translucent.la

# moduleload unique.la

# moduleload valsort.la


# The next three lines allow use of TLS for encrypting connections using a

# dummy test certificate which you can generate by running

# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk

# at self-signed certificates, however.

TLSCACertificatePath /etc/openldap/certs

TLSCertificateFile "\"OpenLDAP Server\""

TLSCertificateKeyFile /etc/openldap/certs/password


# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64


# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!


# enable on-the-fly configuration (cn=config)

database config

access to *

        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

        by * none


# enable server status monitoring (cn=monitor)

database monitor

access to *

        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read

        by dn.exact="cn=Manager,dc=my-domain,dc=com" read

        by * none


access to *

        by dn="cn=admin,dc=jc,dc=com" write

        by  anonymous auth


#######################################################################

# database definitions

#######################################################################


database        bdb

suffix          "dc=jc,dc=com"

checkpoint      1024 15

rootdn          "cn=admin,dc=jc,dc=com"

# Cleartext passwords, especially for the rootdn, should

# be avoided.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

# rootpw                secret

# rootpw                {crypt}ijFYNcSNctBYg

rootpw                  {SSHA}PKQau21DcwYc1kAYtXHHkmglDWWJTByB

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/ldap


# Indices to maintain for this database

index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub

moduleload syncprov.la


index entryCSN,entryUUID                eq

#master-slave 

serverID 001

syncrepl rid=123

        provider=ldap://192.168.99.23:389       #这个ip是主服务器ip

        type=refreshAndPersist

        searchbase="dc=jc,dc=com"

        attrs=*

        schemachecking=on

        bindmethod=simple

        binddn="cn=admin,dc=jc,dc=com"

        credentials="jc"

        retry="60 +"

mirrormode      on

overlay syncprov

syncprov-checkpoint 10 1

# Replicas of this database

#replogfile /var/lib/ldap/openldap-master-replog

#replica host=ldap-1.example.com:389 starttls=critical

#     bindmethod=sasl saslmech=GSSAPI

#     authcId=host/[email protected]


[root@23 openldap]# rm -rf /etc/openldap/slapd.d/* && slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

[root@23 openldap]# chown -R ldap.ldap /etc/openldap/slapd.d

[root@23 openldap]# chmod -R 000 /etc/openldap/slapd.d

[root@23 openldap]# chmod -R u+rwX /etc/openldap/slapd.d/

[root@23 openldap]# slaptest -u

config file testing succeeded


[root@23 openldap]# chown -R ldap.ldap /var/lib/ldap/

[root@23 openldap]# /etc/init.d/slapd restart        

Stopping slapd:                                            [FAILED]

Starting slapd:                                            [  OK  ]





七、openldap部署---Slave端

[root@22 ~]# ifconfig eth0

eth0      Link encap:Ethernet  HWaddr E2:E2:00:F0:96:D9  

          inet addr:192.168.99.22  Bcast:192.168.99.255  Mask:255.255.255.0

          inet6 addr: fe80::e0e2:ff:fef0:96d9/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:226380526 errors:0 dropped:0 overruns:0 frame:0

          TX packets:175444074 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:19436798674 (18.1 GiB)  TX bytes:16679397193 (15.5 GiB)

          Interrupt:23 


[root@22 ~]# yum -y install openldap-servers openldap-clients

[root@22 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@22 ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

[root@22 ~]# slappasswd 

New password: 

Re-enter new password: 

{SSHA}sIgCDJ/ASY7/CE3XqB6JKbDWoSwmHdh/


[root@22 ~]# cat /etc/openldap/slapd.conf 

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#


include         /etc/openldap/schema/corba.schema

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/duaconf.schema

include         /etc/openldap/schema/dyngroup.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/java.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/openldap.schema

include         /etc/openldap/schema/ppolicy.schema

include         /etc/openldap/schema/collective.schema


# Allow LDAPv2 client connections.  This is NOT the default.

allow bind_v2


# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org


pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args


# Load dynamic backend modules

# - modulepath is architecture dependent value (32/64-bit system)

# - back_sql.la overlay requires openldap-server-sql package

# - dyngroup.la and dynlist.la cannot be used at the same time


# modulepath /usr/lib/openldap

# modulepath /usr/lib64/openldap


# moduleload accesslog.la

# moduleload auditlog.la

# moduleload back_sql.la

# moduleload chain.la

# moduleload collect.la

# moduleload constraint.la

# moduleload dds.la

# moduleload deref.la

# moduleload dyngroup.la

# moduleload dynlist.la

# moduleload memberof.la

# moduleload pbind.la

# moduleload pcache.la

# moduleload ppolicy.la

# moduleload refint.la

# moduleload retcode.la

# moduleload rwm.la

# moduleload seqmod.la

# moduleload smbk5pwd.la

# moduleload sssvlv.la

# moduleload syncprov.la

# moduleload translucent.la

# moduleload unique.la

# moduleload valsort.la


# The next three lines allow use of TLS for encrypting connections using a

# dummy test certificate which you can generate by running

# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk

# at self-signed certificates, however.

TLSCACertificatePath /etc/openldap/certs

TLSCertificateFile "\"OpenLDAP Server\""

TLSCertificateKeyFile /etc/openldap/certs/password


# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64


# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!


# enable on-the-fly configuration (cn=config)

database config

access to *

        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

        by * none


# enable server status monitoring (cn=monitor)

database monitor

access to *

        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read

        by dn.exact="cn=Manager,dc=my-domain,dc=com" read

        by * none


access to *

        by dn="cn=admin,dc=jc,dc=com" write

        by  anonymous auth


#######################################################################

# database definitions

#######################################################################


database        bdb

suffix          "dc=jc,dc=com"

checkpoint      1024 15

rootdn          "cn=admin,dc=jc,dc=com"

# Cleartext passwords, especially for the rootdn, should

# be avoided.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

# rootpw                secret

# rootpw                {crypt}ijFYNcSNctBYg

rootpw                  {SSHA}sIgCDJ/ASY7/CE3XqB6JKbDWoSwmHdh/

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/ldap


# Indices to maintain for this database

index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub


moduleload syncprov.la


index entryCSN,entryUUID                eq


serverID 002

syncrepl rid=123

        provider=ldap://192.168.99.23:389

        type=refreshAndPersist

        searchbase="dc=jc,dc=com"

        attrs=*

        schemachecking=on

        bindmethod=simple

        binddn="cn=admin,dc=jc,dc=com"

        credentials="jc"

        retry="60 +"

mirrormode      on

overlay syncprov

# Replicas of this database

#replogfile /var/lib/ldap/openldap-master-replog

#replica host=ldap-1.example.com:389 starttls=critical

#     bindmethod=sasl saslmech=GSSAPI

#     authcId=host/[email protected]


[root@22 ~]# rm -rf /etc/openldap/slapd.d/* && slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

[root@22 ~]# chown -R ldap.ldap /etc/openldap/slapd.d

[root@22 ~]# chmod -R 000 /etc/openldap/slapd.d 

[root@22 ~]# chmod -R u+rwX /etc/openldap/slapd.d/

[root@22 ~]# slaptest -u

config file testing succeeded

[root@22 ~]# chown -R ldap.ldap /var/lib/ldap/

[root@22 ~]# /etc/init.d/slapd restart

Stopping slapd:                                            [FAILED]

Starting slapd:                                            [  OK  ]

八、openldap使用LAM工具管理:

[root@23 ~]# cd /var/www/html/

[root@23 html]# ll ldap-account-manager-3.7.tar.gz selfService.zip 

-rw-r--r-- 1 root root 9157357 Dec 28  2012 ldap-account-manager-3.7.tar.gz

-rw-r--r-- 1 root root   19953 May 29  2013 selfService.zip


[root@23 config]# tar -zxvf ldap-account-manager-3.7.tar.gz && mv ldap-account-manager-3.7 ldap && chown -R apache.apache /var/www/html/ldap && cd ldap && cd config

[root@23 config]# cp -rf lam.conf_sample lam.conf && cp -rf config.cfg_sample config.cfg && chown -R apache.apache *

[root@23 config]# cat lam.conf            #备注:红色部分为更改。

# LDAP Account Manager configuration

#

# Please do not modify this file manually. The configuration can be done completely by the LAM GUI.

#

###################################################################################################


# server address (e.g. ldap://localhost:389 or ldaps://localhost:636)

ServerURL: ldap://localhost:389


# list of users who are allowed to use LDAP Account Manager

# names have to be seperated by semicolons

# e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org

Admins: cn=admin,dc=jc,dc=com


# password to change these preferences via webfrontend (default: lam)

Passwd: {SSHA}RjBruJcTxZEdcBjPQdRBkDaSQeY= iueleA==


# suffix of tree view

# e.g. dc=yourdomain,dc=org

treesuffix: dc=jc,dc=com


# default language (a line from config/language)

defaultLanguage: zh_CN.utf8:UTF-8:简体中文 (中国)


# Path to external Script

scriptPath: 


# Server of external Script

scriptServer: 


# Access rights for home directories

scriptRights: 750


# Number of minutes LAM caches LDAP searches.

cachetimeout: 5


# LDAP search limit.

searchLimit: 0


# Module settings


modules: posixAccount_minUID: 10000

modules: posixAccount_maxUID: 30000

modules: posixAccount_minMachine: 50000

modules: posixAccount_maxMachine: 60000

modules: posixGroup_minGID: 10000

modules: posixGroup_maxGID: 20000

modules: posixGroup_pwdHash: SSHA

modules: posixAccount_pwdHash: SSHA


# List of active account types.

activeTypes: user,group,host,smbDomain



types: suffix_user: ou=People,dc=jc,dc=com

types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber

types: modules_user: inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount


types: suffix_group: ou=group,dc=jc,dc=com

types: attr_group: #cn;#gidNumber;#memberUID;#description

types: modules_group: posixGroup,sambaGroupMapping


types: suffix_host: ou=machines,dc=jc,dc=com

types: attr_host: #cn;#description;#uidNumber;#gidNumber

types: modules_host: account,posixAccount,sambaSamAccount


types: suffix_smbDomain: dc=jc,dc=com

types: attr_smbDomain: sambaDomainName:Domain name;sambaSID:Domain SID

types: modules_smbDomain: sambaDomain


# Password mail subject

lamProMailSubject: Your password was reset


# Password mail text

lamProMailText: Dear @@givenName@@ @@sn@@,+::++::+your password was reset to: @@newPassword@@+::++::++::+Best regards+::++::+deskside support+::+




# enable TLS encryption

useTLS: no



# Access level for this profile.

accessLevel: 100



# Login method.

loginMethod: list



# Search suffix for LAM login.

loginSearchSuffix: dc=yourdomain,dc=org



# Search filter for LAM login.

loginSearchFilter: uid=%USER%



# Bind DN for login search.

loginSearchDN: 



# Bind password for login search.

loginSearchPassword: 



# HTTP authentication for LAM login.

httpAuthentication: false



# Password mail from

lamProMailFrom: 



# Password mail reply-to

lamProMailReplyTo: 



# Password mail is HTML

lamProMailIsHTML: false

[root@23 config]# cp -rf /var/www/html/selfService.zip /var/www/html/ldap/templates/

[root@23 templates]# unzip -o selfService.zip 

Archive:  selfService.zip

  inflating: selfService/adminLogin.php  

  inflating: selfService/adminMain.php  

  inflating: selfService/profManage.php  

  inflating: selfService/selfServiceLogin.php  

  inflating: selfService/selfServiceMain.php  

  inflating: selfService/selfServiceSP.php  

[root@23 templates]# chown -R ldap.ldap selfService

[root@23 templates]# /etc/init.d/slapd restart

 [root@23 templates]# /etc/init.d/httpd restart

 [root@23 templates]# netstat -lntp|grep 389

tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      3397/slapd          

tcp        0      0 :::389                      :::*                        LISTEN      3397/slapd          

[root@23 templates]# netstat -lntp|grep 80

tcp        0      0 :::80                       :::*                        LISTEN      3476/httpd



八:#访问openldap管理页面:http://192.168.99.23/ldap  并且添加一个账户jiechao,做同步测试用。

wKiom1VkOumSf8XYAADBcpRtac4829.jpg

wKiom1VkOzKwEcnsAADf4BP1qPo396.jpg




九、Master-Slave测试是否同步:

wKiom1VkO9zzRABWAADRxaZrYeg551.jpg



你可能感兴趣的:(部署,LDAP,主从,主从架构)